Securing REST interface

5 views
Skip to first unread message

Steve Bennett

unread,
Mar 1, 2011, 4:18:30 AM3/1/11
to simal-con...@googlegroups.com
Hi all,
As we're starting to think about getting a small (read-only)
instance of Simal running live, I'll need to address some security
issues. One that just occurred to me is the REST interface - is it
currently open to anyone to send commands to? How would I go about
locking it down to only accept create/update/delete commands from
localhost (or other IP whitelist)?

Thanks,
Steve

Ross Gardler

unread,
Mar 1, 2011, 5:15:49 AM3/1/11
to simal-con...@googlegroups.com

The simplest solution would be to use .htaccess

Any other sufficiently flexible solution would be actively considered,
but for our use case we don't need security on REST so don't expect us
to implement it any time soon (other than applying patches).

Ross

Steve Bennett

unread,
Mar 1, 2011, 7:05:27 AM3/1/11
to simal-con...@googlegroups.com
Oh, of course. I didn't quite think that one through. Oops. :)

Steve

> --
> You received this message because you are subscribed to the Google Groups
> "Simal contributors" group.
> To post to this group, send an email to simal-con...@googlegroups.com.
> To unsubscribe from this group, send email to
> simal-contribut...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simal-contributors?hl=en-GB.
>
>

Steve Lee

unread,
Mar 1, 2011, 8:42:26 AM3/1/11
to simal-con...@googlegroups.com, Ross Gardler
On 1 March 2011 10:15, Ross Gardler <rgar...@apache.org> wrote:
> On 01/03/2011 09:18, Steve Bennett wrote:
>>
>> Hi all,
>>   As we're starting to think about getting a small (read-only)
>> instance of Simal running live, I'll need to address some security
>> issues. One that just occurred to me is the REST interface - is it
>> currently open to anyone to send commands to? How would I go about
>> locking it down to only accept create/update/delete commands from
>> localhost (or other IP whitelist)?
>
> The simplest solution would be to use .htaccess

Good call.

Last time I looked I got a headache as there are no standards and
several options with various tradeoffs. This is typical discussion:

http://stackoverflow.com/questions/454355/security-of-rest-authentication-schemes

Steve

Steve Bennett

unread,
Mar 10, 2011, 2:47:25 AM3/10/11
to simal-con...@googlegroups.com, Steve Lee, Ross Gardler
On 2 March 2011 00:42, Steve Lee <st...@fullmeasure.co.uk> wrote:
> Last time I looked I got a headache as there are no standards and
> several options with various tradeoffs. This is typical discussion:
>
> http://stackoverflow.com/questions/454355/security-of-rest-authentication-schemes

FYI, here's what I've ended up doing:

In httpd.conf:
ProxyPass /simal-rest !

Also, I wanted to forward port 80 to 8080:

ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/

To block all direct access to port 8080:
iptables -A INPUT -j DROP -p tcp --destination-port 8080 -i eth0

I guess I could have just run Simal on port 80, but that seemed weird somehow.

Steve

Steve Lee

unread,
Mar 21, 2011, 3:18:59 PM3/21/11
to simal-con...@googlegroups.com

Possibly interesting reading about history and oAuth

http://blog.apigee.com/detail/api_authentication_and_how_it_got_that_way_from_http_basic_to_oauth_2.0/

steve

Reply all
Reply to author
Forward
0 new messages